ISO/IEC 27018:2025 – Protecting PII in Public Cloud: A Guide for Cloud Processors

ISO / IEC · Published 2025 · Active

Customer privacy is of the utmost importance, especially when their personal information is stored in the Cloud. The internationally recognised ISO 27018 Standard sets out guidelines to help cloud service providers, IT security managers, and legal and compliance teams protect personal identifiable information in public cloud settings. Building on the ISO/IEC 27002 framework, it adds specific controls for data privacy in the cloud, including consent, transparency, PII minimisation, and sub-processor management.

Updated from the 2019 Standard, ISO/IEC 27018:2025 reflects the current global privacy and cloud security measures, helping organisations align with major privacy regulations, GDPR and the Australian Privacy Act.

Buy ISO/IEC 27018:2025 PDF   →

📖 What Is ISO/IEC 27018:2025?

✦ KEY TAKEAWAYS

• ✓ Code of practice for protecting PII in public cloud environments.
• ✓ Builds on ISO/IEC 27002 with specific cloud privacy controls.
• ✓ Latest 2025 edition replaces and updates the 2019 Standard.

ISO/IEC 27018:2025 is an international code of practice that provides guidelines for protecting personal identifiable information (PII) in public cloud computing environments. It shares principles on how cloud service providers should handle, store, and process personal data on behalf of the customer to ensure their privacy is maintained.

ISO 27018 builds on the ISO/IEC 27002 framework, adding specific controls for data privacy in the cloud, such as consent, transparency, and data protection measures. It outlines requirements like limiting data use to authorised purposes, protecting data from unauthorised access, and assuring secure deletion and transparency about data handling practices. This 2025 edition is the ISO 27018 latest version, updating the 2019 Standard. It aligns with modern security standards, improving clarity and addressing evolving privacy risks in cloud environments. It also strengthens guidance around accountability, third-party processing, and cross-border data handling, providing a widely recognised control framework for public cloud service providers acting as PII processors.

📖 Who Does ISO/IEC 27018:2025 Apply To?

✦ KEY TAKEAWAYS

• ✓ Primarily for public cloud providers acting as PII processors.
• ✓ Relevant to IaaS, PaaS and SaaS providers managing customer data.
• ✓ Applicable globally, regardless of provider size or location.

ISO/IEC 27018:2025 applies primarily to public cloud service providers that process PII on behalf of their customers (cloud PII processors). The Standard is especially relevant to cloud providers offering services like IaaS, PaaS, and SaaS, where large volumes of customer data are managed within shared, multi-tenant cloud environments.

The Standard benefits all organisations that use cloud services, including public and private companies, government entities, and not-for-profit organisations, by giving them confidence in how their data is handled. These organisations can select providers who comply with ISO/IEC 27018 to guarantee their customers’ personal data is properly protected, securely processed, and handled with transparency and care.

The ISO 27018 framework is applicable anywhere, regardless of the geographic location or size of the cloud provider, and supports consistent privacy practices across global operations and varying regulatory environments.

📖 Key PII Protection Controls in ISO/IEC 27018

✦ KEY TAKEAWAYS

• ✓ Six core controls from consent through to breach response.
• ✓ Designed to ensure responsible handling of personal data.
• ✓ Aligned with international privacy practices and accountability standards.

The ISO 27018 Standard covers a comprehensive set of key PII protection controls such as consent and purpose limitation, transparency obligations, data minimisation, retention and deletion, security, sub-processor management, and breach response. These controls are designed to guarantee that personal data is handled responsibly, consistently, and in line with recognised international privacy practices within cloud environments.

📖 Relationship with ISO/IEC 27001:2022

✦ KEY TAKEAWAYS

• ✓ ISO 27018 supplements — does not replace — ISO 27001.
• ✓ ISO 27001 establishes the ISMS foundation; 27018 adds privacy controls.
• ✓ Together they deliver comprehensive cloud data protection.

ISO/IEC 27018 builds on and extends ISO/IEC 27001 controls by adding specific privacy requirements for cloud PII processing. ISO 27001 provides the overall framework for an Information Security Management System (ISMS), focusing on information protection through risk management, governance structures, documented policies, and implemented security controls across an organisation. ISO 27018 does not replace 27001. Instead, it supplements it by introducing additional, targeted controls for protecting PII in public cloud services. These controls address areas such as data processing roles, customer instructions, and enhanced privacy safeguards.

Typically, organisations implement ISO 27001 first to establish a strong security foundation, then apply ISO 27018 to strengthen their system with privacy-focused requirements such as consent, transparency, data handling rules, and accountability measures. This assures a more comprehensive and trustworthy approach to cloud data protection.

📖 Alignment with Privacy Laws

✦ KEY TAKEAWAYS

• ✓ Supports alignment with GDPR and the Australian Privacy Act.
• ✓ Provides a recognised control framework for contracts and audits.
• ✓ Complements — but does not replace — local legal compliance.

ISO 27018 aligns with current privacy laws and supports organisations in managing personal data responsibly. It helps businesses to align with major privacy regulations such as the General Data Protection Regulation (GDPR) and the Australian Privacy Act, as well as other national privacy legislation, by providing structured controls for handling personal data, including consent, appropriate data use, and strong security measures.

The Standard offers a recognised international control framework that organisations can reference in contracts, service agreements, audits, and regulatory submissions to demonstrate their commitment to protecting personal data. This can improve stakeholder confidence and support cross-border data management.

While ISO 27018:2025 demonstrates systematic and auditable privacy controls, it does not substitute legal compliance. Organisations must still identify and meet specific legal obligations set out by the jurisdiction in which they operate, including regulatory reporting, individual rights, and enforcement requirements.

📖 Closing Remarks

The ISO 27018 Standard is an international framework that sets out guidelines to assist cloud providers in strengthening how they protect and manage personal data in the cloud. It supports compliance with privacy regulations like GDPR and the Australian Privacy Act, simplifying the process to meet legal and contractual obligations across different regions. Certification builds customer trust and competitive advantage as organisations are more likely to select providers who can prove they abide by internationally recognised privacy standards.

Enhance your existing security framework with privacy-specific controls and create customer relationships built on trust. Purchase your copy of the ISO/IEC 27018:2025 today, or reach out to our friendly Intertek team for more information about obtaining your cloud security certification.

📖 Related Articles and Standards